{
	"id": "73694423-ac7d-4347-b727-972118a69d20",
	"created_at": "2026-04-06T00:17:19.40958Z",
	"updated_at": "2026-04-10T13:12:53.221239Z",
	"deleted_at": null,
	"sha1_hash": "4d70767a9f41fee42a3cf55984a16590c61c2ee4",
	"title": "malware-research/oceanlotus at master · eset/malware-research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43771,
	"plain_text": "malware-research/oceanlotus at master · eset/malware-research\r\nBy marc-etienne\r\nArchived: 2026-04-05 12:48:17 UTC\r\nCollection of helper scripts for OceanLotus\r\nThis repository contains scripts to help analysing OceanLotus' latest campaign using the legitimate \"rastls.exe\"\r\napplication for side-loading.\r\nAs described in ESET research whitepaper there are two components that has encrypted payloads: the fake\r\ndocument (dropper component) and the backdoor ( rastls.dll ).\r\nol_unpack_shellcode_from_decoy.py will unpack the shellcode embedded in the resource of the (fake) decoy\r\ndocument.\r\nol_unpack_files_from_3rd_stage.py is almost the same script but it is used for the third stage of the dropper\r\npart, obtained after the emulation (using shellcode_emulator ) of shellcode outputted by\r\nol_unpack_shellcode_from_decoy.py . The script extracts the encrypted and compressed configuration and parse\r\nit. It prints the possible install paths for the backdoor and its persistence mechanism. Finally, the script drops all\r\nthe backdoor components (e.g. rastls.exe , rastls.dll and SyLog.bin ). The Kaitai Struct structure\r\nol_decoy_dropped_files.ksy was used to create the Python class.\r\nBoth of these scripts uses lief as a PE parser so make sure to install it beforehand.\r\nol_unpack_files_from_3rd_stage.py uses Kaitai Struct.\r\nol_unpack_shellcode_from_backdoor.py decrypts the shellcode of an installed backdoor using the key and IV\r\nembedded in the rastls.dll file and the encrypted OUTLFLTR.DAT file (or SyLog.bin depending on the\r\nversion).\r\nThe folder shellcode_emulator contains a script and its description to run the shellcode emulator. Since the\r\nsame shellcode is used everywhere during this campaign, it was faster to emulate it instead of using dynamic\r\nanalysis.\r\nThe following flow could be used to obtain the dropped files from the decoy document (the dropper):\r\nol_unpack_shellcode_from_decoy.py ⇒ ol_shellcode_emulator.py ⇒\r\nol_unpack_files_from_3rd_stage.py\r\nThe following flow could be used to obtain the third stage of the backdoor component:\r\nol_unpack_shellcode_from_backdoor.py ⇒ ol_shellcode_emulator.py\r\nhttps://github.com/eset/malware-research/tree/master/oceanlotus\r\nPage 1 of 2\n\nFinally, this repository also contains the Kaitai structure for the fifth stage of the backdoor component. It will\r\nparse the configuration structure of the decrypted resource. In order to generate a parser class or visualize it, Kaitai\r\nStruct should be installed.\r\nSource: https://github.com/eset/malware-research/tree/master/oceanlotus\r\nhttps://github.com/eset/malware-research/tree/master/oceanlotus\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/eset/malware-research/tree/master/oceanlotus"
	],
	"report_names": [
		"oceanlotus"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d70767a9f41fee42a3cf55984a16590c61c2ee4.pdf",
		"text": "https://archive.orkl.eu/4d70767a9f41fee42a3cf55984a16590c61c2ee4.txt",
		"img": "https://archive.orkl.eu/4d70767a9f41fee42a3cf55984a16590c61c2ee4.jpg"
	}
}